[SOLVED] Trouble configuring OpenVPN Server (ER605) allowing for client internet access

[SOLVED] Trouble configuring OpenVPN Server (ER605) allowing for client internet access

[SOLVED] Trouble configuring OpenVPN Server (ER605) allowing for client internet access
[SOLVED] Trouble configuring OpenVPN Server (ER605) allowing for client internet access
3 weeks ago - last edited 3 weeks ago
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.4 Build 20240119 Rel.44368

I can't seem to get internet access when connecting to the ER605 OpenVPN server (configured for Full Mode).

 

Similar threads:

 

Tech details:

  • ER605 V2 Router; Firmware 2.2.4 Build 20240119 Rel.44368
  • Standalone mode
  • Connecting (testing) from Android phone on LTE+ network
  • Client using latest version of OpenVPN Android app

 

OpenVPN Server configuration on the ER605:

  • AccountPWD: disabled
  • Status: enabled
  • Full Mode: enabled
  • Protocol: UDP
  • Service Port: 1194
  • Local Network: N/A (grayed out)
  • WAN: WAN
  • IP Pool: 192.168.10.0/24
  • Primary DNS: 8.8.8.8
  • Secondary DNS: 8.8.8.4
  • Authentication Type: N/A (grayed out)

 

Firewall ACL:

  • Policy: Allow
  • Service Type: OpenVPN (I added a Service Type for UDP 1194)
  • IP Type: IPv4
  • Direction: [WAN] In
  • Source: IPGROUP_ANY
  • Destination: Me
  • Effective Time: Any

 

With the above in place I can successfully establish the OpenVPN connection from the phone (on LTE network) to the ER605 but that's all.  I do get an IP address on the specified network (as per the IP Pool setting) but using the Network Analyzer Android app, I don't seem to have a default gateway in my route table and I can't get anywhere.

 

Details from the Network Analyzer routing table:

 

192.168.10.8/30
- Gateway: *
- Iface: tun0
- Flags: N/A
- IP Version: IPv4

192.168.10.0/24
- Gateway: *
- Iface: tun0
- Flags: N/A
- IP Version: IPv4

8.8.8.8/32
- Gateway: *
- Iface: tun0
- Flags: N/A
- IP Version: IPv4

8.8.4.4/32

- Gateway: *
- Iface: tun0
- Flags: N/A
- IP Version: IPv4

*
- Gateway: *
- Iface: tun0
- Flags: N/A
- IP Version: IPv4

 

So I'm not sure what's going on - this is supposed to work isn't it?  Any suggestions?  Maybe something to do with the ER605 Firewall ACLs or other settings - I'm just not sure what??

 

Thanks.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access-Solution
3 weeks ago - last edited 3 weeks ago

SOLVED!  Solution was to use the comp-lzo adaptive setting in the .opvn file.

 

Found the solution in this post: https://community.tp-link.com/en/business/forum/topic/653224

 

My bad for not finding that article sooner. 

Recommended Solution
  0  
  0  
#4
Options
6 Reply
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access
3 weeks ago

Hi  @Cold_in_Canada 

Are you able to ping the IP address of the router after you connect to the VPN router?

Based on your description, you only have one ACL, that's correct? Try without any ACL.

Try a different DNS as well if you cannot access any website.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  1  
  1  
#2
Options
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access
3 weeks ago

Clive_A wrote

Hi  @Cold_in_Canada 

Are you able to ping the IP address of the router after you connect to the VPN router?

Based on your description, you only have one ACL, that's correct? Try without any ACL.

Try a different DNS as well if you cannot access any website.

 
Thanks for your reply @Clive_A.  I do have other ACLs but I have effectively disabled all "Block" policy rules to test this.  (In lieu of a proper disable, I mimic disabling by changing the service type to "FTP").

 

Even with all Block ACLs changed to "ftp", after I connect using OpenVPN and I do a LAN scan, all I can see is myself.  I can't even see my gateway.

 

So this is a bit perplexing.... The VPN IP Pool I'm using is a secondary VLAN but with all block ACLs effectively disabled, I don't think that should matter.  And I did test it initially using my main VLAN as the VPN IP Pool.

 

Any other ideas on where to look?  The system log shows me virtually nothing (mostly just DHCP assignments).  I don't think I need to un-check anything under "Packet Anomaly Defense" for OpenVPN?

  0  
  0  
#3
Options
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access-Solution
3 weeks ago - last edited 3 weeks ago

SOLVED!  Solution was to use the comp-lzo adaptive setting in the .opvn file.

 

Found the solution in this post: https://community.tp-link.com/en/business/forum/topic/653224

 

My bad for not finding that article sooner. 

Recommended Solution
  0  
  0  
#4
Options
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access
3 weeks ago - last edited 3 weeks ago

Also @Clive_A , I don't know (because of the "TP-LINK" tag in your handle) if you have influence over the configuration guides, but if you do, this one is reasonably good "How to Configure TP-Link Omada Gateway as OpenVPN Server on Standalone Mode".  But it doesn't mention that you also need to add the UDP/1194 service type and a WAN->Me ACL.  Both of which I believe is required, and must be added manually when operating in standalone mode.  Adding those two additional steps would benefit others in the future.

 

Thanks.

  0  
  0  
#5
Options
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access
3 weeks ago - last edited 3 weeks ago

Hi @Cold_in_Canada 

Thanks for posting in our business forum.

OK. Saw you've resolved this. Good for you.

Cold_in_Canada wrote

Also @Clive_A , I don't know (because of the "TP-LINK" tag in your handle) if you have influence over the configuration guides, but if you do, this one is reasonably good "How to Configure TP-Link Omada Gateway as OpenVPN Server on Standalone Mode".  But it doesn't mention that you also need to add the UDP/1194 service type and a WAN->Me ACL.  Both of which I believe is required, and must be added manually when operating in standalone mode.  Adding those two additional steps would benefit others in the future.

 

Thanks.

For the guides, you may write an email to our tech support team. They have a specialist to take care of your feedback like that.

 

But about your feedback contents, which I have highlighted, it is not necessary to have the ACL to get the VPN working.

If you don't want others to connect to your VPN, you should set up the deny all and allow a static IP address to connect. Setting up only one ACL to allow does not make a difference though.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#6
Options
Re:Trouble configuring OpenVPN Server (ER605) allowing for client internet access
3 weeks ago

Ah ok, thank you @Clive_A for this feedback.  You're really helping me understand things.

 

I guess I was thinking that without any Firewall ACLs at all, the router would be, by default, blocking ALL ports from the outside.  Now based on your feedback, I'm thinking that I subsequent ACL I have is likely blocking the outside.

 

I have various VLANs and I only want my "MainNetwork" to be able to manage the ER605.  So I have a "block" ACL where the source is "!MainNetwork" and the destination is "Me" (for all service types).  And perhaps that's blocking the outside as well (I admit, I never thought of !MainNetwork as including the WAN until now) - the extra and higher priority "allow" ACL for OpenVPN (UDP/1194 only) that I mentioned in my previous post is perhaps overriding that.

  1  
  1  
#7
Options